chore: keep support for role for backward compatibility

fix: leftovers
feat: introduce user_role table
2026-03-18 18:52:15 +00:00 · 2026-03-18 23:44:56 +05:30 · 2026-03-18 22:08:24 +05:30 · 2026-03-18 20:21:52 +05:30 · 2026-03-18 02:31:52 +05:30 · 2026-03-18 02:10:15 +05:30
31 changed files with 1192 additions and 313 deletions
--- a/ee/query-service/app/api/cloudIntegrations.go
+++ b/ee/query-service/app/api/cloudIntegrations.go
@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"

+	"log/slog"
+
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/user"
@@ -18,7 +20,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
-	"log/slog"
 )

 type CloudIntegrationConnectionParamsResponse struct {
@@ -169,7 +170,7 @@ func (ah *APIHandler) getOrCreateCloudIntegrationUser(
 	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
 	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))

-	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId), types.UserStatusActive)
+	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, []string{authtypes.SigNozViewerRoleName}, valuer.MustNewUUID(orgId), types.UserStatusActive)
 	if err != nil {
 		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
 	}
--- a/pkg/apiserver/signozapiserver/user.go
+++ b/pkg/apiserver/signozapiserver/user.go
@@ -186,7 +186,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint lists all users",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*types.GettableUser, 0),
+		Response:            make([]*types.User, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -203,7 +203,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user I belong to",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -220,7 +220,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user by id",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
@@ -237,7 +237,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint updates the user by id",
 		Request:             new(types.User),
 		RequestContentType:  "application/json",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
--- a/pkg/authn/authnstore/sqlauthnstore/store.go
+++ b/pkg/authn/authnstore/sqlauthnstore/store.go
@@ -17,8 +17,8 @@ func NewStore(sqlstore sqlstore.SQLStore) authtypes.AuthNStore {
 	return &store{sqlstore: sqlstore}
 }

-func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error) {
-	user := new(types.User)
+func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error) {
+	user := new(types.StorableUser)
 	factorPassword := new(types.FactorPassword)

 	err := store.
--- a/pkg/authn/passwordauthn/emailpasswordauthn/authn.go
+++ b/pkg/authn/passwordauthn/emailpasswordauthn/authn.go
@@ -30,5 +30,5 @@ func (a *AuthN) Authenticate(ctx context.Context, email string, password string,
 		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password")
 	}

-	return authtypes.NewIdentity(user.ID, orgID, user.Email, user.Role, authtypes.IdentNProviderTokenizer), nil
+	return authtypes.NewIdentity(user.ID, orgID, user.Email, types.RoleViewer, authtypes.IdentNProviderTokenizer), nil
 }
--- a/pkg/modules/session/implsession/module.go
+++ b/pkg/modules/session/implsession/module.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/SigNoz/signoz/pkg/authn"
+	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -28,9 +29,10 @@ type module struct {
 	authDomain authdomain.Module
 	tokenizer  tokenizer.Tokenizer
 	orgGetter  organization.Getter
+	authz      authz.AuthZ
 }

-func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter) session.Module {
+func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter, authz authz.AuthZ) session.Module {
 	return &module{
 		settings:   factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/session/implsession"),
 		authNs:     authNs,
@@ -39,6 +41,7 @@ func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.A
 		authDomain: authDomain,
 		tokenizer:  tokenizer,
 		orgGetter:  orgGetter,
+		authz:      authz,
 	}
 }

@@ -142,9 +145,15 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 	}

 	roleMapping := authDomain.AuthDomainConfig().RoleMapping
-	role := roleMapping.NewRoleFromCallbackIdentity(callbackIdentity)
+	legacyRole, managedRoles := roleMapping.ManagedRolesFromCallbackIdentity(callbackIdentity)

-	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID, types.UserStatusActive)
+	// pass only valid or fallback to viewer
+	validRoles, err := module.resolveValidRoles(ctx, callbackIdentity.OrgID, managedRoles, callbackIdentity.Email)
+	if err != nil {
+		return "", err
+	}
+
+	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, legacyRole, validRoles, callbackIdentity.OrgID, types.UserStatusActive)
 	if err != nil {
 		return "", err
 	}
@@ -158,7 +167,7 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 		return "", errors.WithAdditionalf(err, "root user can only authenticate via password")
 	}

-	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, user.Role, authtypes.IdentNProviderTokenizer), map[string]string{})
+	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, types.RoleViewer, authtypes.IdentNProviderTokenizer), map[string]string{})
 	if err != nil {
 		return "", err
 	}
@@ -222,3 +231,38 @@ func getProvider[T authn.AuthN](authNProvider authtypes.AuthNProvider, authNs ma

 	return provider, nil
 }
+
+// resolveValidRoles validates role names against the database
+// returns only roles that exist. If none are valid, falls back to signoz-viewer role
+func (module *module) resolveValidRoles(ctx context.Context, orgID valuer.UUID, roles []string, email valuer.Email) ([]string, error) {
+	storableRoles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, roles)
+	if err != nil {
+		return nil, err
+	}
+
+	validRoles := make([]string, 0, len(storableRoles))
+	validSet := make(map[string]struct{})
+	for _, sr := range storableRoles {
+		validRoles = append(validRoles, sr.Name)
+		validSet[sr.Name] = struct{}{}
+	}
+
+	// log ignored roles
+	if len(validRoles) < len(roles) {
+		var ignored []string
+		for _, r := range roles {
+			if _, ok := validSet[r]; !ok {
+				ignored = append(ignored, r)
+			}
+		}
+		module.settings.Logger().WarnContext(ctx, "ignoring non-existent roles from SSO mapping", "ignored_roles", ignored, "email", email)
+	}
+
+	// fallback to viewer if no valid roles
+	if len(validRoles) == 0 {
+		module.settings.Logger().WarnContext(ctx, "no valid roles from SSO mapping, falling back to viewer", "email", email)
+		validRoles = []string{authtypes.SigNozViewerRoleName}
+	}
+
+	return validRoles, nil
+}
--- a/pkg/modules/tracefunnel/impltracefunnel/module.go
+++ b/pkg/modules/tracefunnel/impltracefunnel/module.go
@@ -30,7 +30,7 @@ func (module *module) Create(ctx context.Context, timestamp int64, name string,
 	funnel.CreatedBy = userID.String()

 	// Set up the user relationship
-	funnel.CreatedByUser = &types.User{
+	funnel.CreatedByUser = &types.StorableUser{
 		Identifiable: types.Identifiable{
 			ID: userID,
 		},
--- a/pkg/modules/user/impluser/getter.go
+++ b/pkg/modules/user/impluser/getter.go
@@ -2,78 +2,56 @@ package impluser

 import (
 	"context"
-	"slices"

-	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )

 type getter struct {
-	store   types.UserStore
-	flagger flagger.Flagger
+	store types.UserStore
 }

-func NewGetter(store types.UserStore, flagger flagger.Flagger) user.Getter {
-	return &getter{store: store, flagger: flagger}
-}
-
-func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	return module.store.GetRootUserByOrgID(ctx, orgID)
+func NewGetter(store types.UserStore) user.Getter {
+	return &getter{store: store}
 }

 func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByOrgID(ctx, orgID)
+	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
 	}

-	// filter root users if feature flag `hide_root_users` is true
-	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
-	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
-
-	if hideRootUsers {
-		users = slices.DeleteFunc(users, func(user *types.User) bool { return user.IsRoot })
+	// we are not resolving roles for getter methods
+	users := make([]*types.User, len(storableUsers))
+	for idx, storableUser := range storableUsers {
+		users[idx] = types.NewUserFromStorable(storableUser, make([]string, 0))
 	}

 	return users, nil
 }

-func (module *getter) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	users, err := module.store.GetUsersByEmail(ctx, email)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func (module *getter) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
-	user, err := module.store.GetByOrgIDAndID(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return user, nil
-}
-
 func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	user, err := module.store.GetUser(ctx, id)
+	storableUser, err := module.store.GetUser(ctx, id)
 	if err != nil {
 		return nil, err
 	}

-	return user, nil
+	return types.NewUserFromStorable(storableUser, make([]string, 0)), nil
 }

 func (module *getter) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
+	storableUsers, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
 	if err != nil {
 		return nil, err
 	}

+	users := make([]*types.User, len(storableUsers))
+
+	for idx, storableUser := range storableUsers {
+		users[idx] = types.NewUserFromStorable(storableUser, make([]string, 0))
+	}
+
 	return users, nil
 }

--- a/pkg/modules/user/impluser/handler.go
+++ b/pkg/modules/user/impluser/handler.go
@@ -169,7 +169,7 @@ func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -188,7 +188,7 @@ func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -207,7 +207,7 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	users, err := h.getter.ListByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
+	users, err := h.module.ListUsersByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -270,7 +270,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()

-	id := mux.Vars(r)["id"]
+	userID := mux.Vars(r)["id"]

 	claims, err := authtypes.ClaimsFromContext(ctx)
 	if err != nil {
@@ -278,13 +278,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 		return
 	}

-	user, err := handler.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
 	if err != nil {
 		render.Error(w, err)
 		return
--- a/pkg/modules/user/impluser/module.go
+++ b/pkg/modules/user/impluser/module.go
@@ -11,47 +11,103 @@ import (
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
+	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/dustin/go-humanize"
 )

 type Module struct {
-	store     types.UserStore
-	tokenizer tokenizer.Tokenizer
-	emailing  emailing.Emailing
-	settings  factory.ScopedProviderSettings
-	orgSetter organization.Setter
-	authz     authz.AuthZ
-	analytics analytics.Analytics
-	config    user.Config
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	tokenizer     tokenizer.Tokenizer
+	emailing      emailing.Emailing
+	settings      factory.ScopedProviderSettings
+	orgSetter     organization.Setter
+	authz         authz.AuthZ
+	analytics     analytics.Analytics
+	config        root.Config
+	flagger       flagger.Flagger
 }

 // This module is a WIP, don't take inspiration from this.
-func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config user.Config) root.Module {
+func NewModule(store types.UserStore, userRoleStore authtypes.UserRoleStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config root.Config, flagger flagger.Flagger) root.Module {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/user/impluser")
 	return &Module{
-		store:     store,
-		tokenizer: tokenizer,
-		emailing:  emailing,
-		settings:  settings,
-		orgSetter: orgSetter,
-		analytics: analytics,
-		authz:     authz,
-		config:    config,
+		store:         store,
+		userRoleStore: userRoleStore,
+		tokenizer:     tokenizer,
+		emailing:      emailing,
+		settings:      settings,
+		orgSetter:     orgSetter,
+		analytics:     analytics,
+		authz:         authz,
+		config:        config,
+		flagger:       flagger,
 	}
 }

+// this function gets user with its proper roles populated
+func (m *Module) GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error) {
+	storableUser, err := m.store.GetByOrgIDAndID(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames, err := m.resolveRoleNamesForUser(ctx, userID, storableUser.OrgID)
+	if err != nil {
+		return nil, err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
+	return user, nil
+}
+
+func (module *Module) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
+	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	userIDs := make([]valuer.UUID, len(storableUsers))
+	for idx, storableUser := range storableUsers {
+		userIDs[idx] = storableUser.ID
+	}
+
+	storableUserRoles, err := module.userRoleStore.ListUserRolesByOrgIDAndUserIDs(ctx, orgID, userIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	userIDToRoleIDs, roleIDs := authtypes.GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles)
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
+	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
+
+	if hideRootUsers {
+		storableUsers = slices.DeleteFunc(storableUsers, func(user *types.StorableUser) bool { return user.IsRoot })
+	}
+
+	users := module.usersFromStorableUsersAndRolesMaps(storableUsers, roles, userIDToRoleIDs)
+
+	return users, nil
+}
+
 func (m *Module) AcceptInvite(ctx context.Context, token string, password string) (*types.User, error) {
 	// get the user by reset password token
-	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
 	if err != nil {
 		return nil, err
 	}
@@ -63,7 +119,7 @@ func (m *Module) AcceptInvite(ctx context.Context, token string, password string
 	}

 	// query the user again
-	user, err = m.store.GetByOrgIDAndID(ctx, user.OrgID, user.ID)
+	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +129,12 @@ func (m *Module) AcceptInvite(ctx context.Context, token string, password string

 func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Invite, error) {
 	// get the user
-	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
 	if err != nil {
 		return nil, err
 	}
@@ -87,6 +148,7 @@ func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Inv
 		Email: user.Email,
 		Token: token,
 		Role:  user.Role,
+		Roles: user.Roles,
 		OrgID: user.OrgID,
 		TimeAuditable: types.TimeAuditable{
 			CreatedAt: user.CreatedAt,
@@ -106,24 +168,40 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID

 	// validate all emails to be invited
 	emails := make([]string, len(bulkInvites.Invites))
+	var allRolesFromRequest []string
+	seenRolesFromRequest := make(map[string]struct{})
 	for idx, invite := range bulkInvites.Invites {
 		emails[idx] = invite.Email.StringValue()
+		// for role name validation
+		for _, role := range invite.Roles {
+			if _, ok := seenRolesFromRequest[role]; !ok {
+				seenRolesFromRequest[role] = struct{}{}
+				allRolesFromRequest = append(allRolesFromRequest, role)
+			}
+		}
 	}
-	users, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
+
+	storableUsers, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err != nil {
 		return nil, err
 	}

-	if len(users) > 0 {
-		if err := users[0].ErrIfRoot(); err != nil {
+	if len(storableUsers) > 0 {
+		if err := storableUsers[0].ErrIfRoot(); err != nil {
 			return nil, errors.WithAdditionalf(err, "Cannot send invite to root user")
 		}

-		if users[0].Status == types.UserStatusPendingInvite {
-			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", users[0].Email.StringValue())
+		if storableUsers[0].Status == types.UserStatusPendingInvite {
+			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", storableUsers[0].Email.StringValue())
 		}

-		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", users[0].Email.StringValue())
+		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", storableUsers[0].Email.StringValue())
+	}
+
+	// this function returns error if some role is not found by name
+	_, err = m.authz.ListByOrgIDAndNames(ctx, orgID, allRolesFromRequest)
+	if err != nil {
+		return nil, err
 	}

 	type userWithResetToken struct {
@@ -135,25 +213,20 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID

 	if err := m.store.RunInTx(ctx, func(ctx context.Context) error {
 		for idx, invite := range bulkInvites.Invites {
-			role, err := types.NewRole(invite.Role.String())
-			if err != nil {
-				return err
-			}
-
 			// create a new user with pending invite status
-			newUser, err := types.NewUser(invite.Name, invite.Email, role, orgID, types.UserStatusPendingInvite)
+			newUser, err := types.NewUser(invite.Name, invite.Email, invite.Role,  invite.Roles, orgID, types.UserStatusPendingInvite)
 			if err != nil {
 				return err
 			}

-			// store the user and password in db
+			// store the user and user_role entries in db
 			err = m.createUserWithoutGrant(ctx, newUser)
 			if err != nil {
 				return err
 			}

 			// generate reset password token
-			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.ID)
+			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.OrgID, newUser.ID)
 			if err != nil {
 				m.settings.Logger().ErrorContext(ctx, "failed to create reset password token for invited user", "error", err)
 				return err
@@ -175,7 +248,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 	for idx, userWithToken := range newUsersWithResetToken {
 		m.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
 			"invitee_email": userWithToken.User.Email,
-			"invitee_role":  userWithToken.User.Role,
+			"invitee_roles": userWithToken.User.Roles,
 		})

 		invite := &types.Invite{
@@ -186,6 +259,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 			Email: userWithToken.User.Email,
 			Token: userWithToken.ResetPasswordToken.Token,
 			Role:  userWithToken.User.Role,
+			Roles: userWithToken.User.Roles,
 			OrgID: userWithToken.User.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: userWithToken.User.CreatedAt,
@@ -219,8 +293,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 }

 func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error) {
-	// find all the users with pending_invite status
-	users, err := m.store.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
+	users, err := m.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
 	if err != nil {
 		return nil, err
 	}
@@ -231,7 +304,7 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,

 	for _, pUser := range pendingUsers {
 		// get the reset password token
-		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.ID)
+		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.OrgID, pUser.ID)
 		if err != nil {
 			return nil, err
 		}
@@ -245,6 +318,7 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 			Email: pUser.Email,
 			Token: resetPasswordToken.Token,
 			Role:  pUser.Role,
+			Roles: pUser.Roles,
 			OrgID: pUser.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: pUser.CreatedAt,
@@ -259,16 +333,27 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 }

 func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
-	createUserOpts := root.NewCreateUserOptions(opts...)
-
-	// since assign is idempotant multiple calls to assign won't cause issues in case of retries.
-	err := module.authz.Grant(ctx, input.OrgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(input.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	// validate the roles
+	_, err := module.authz.ListByOrgIDAndNames(ctx, input.OrgID, input.Roles)
 	if err != nil {
 		return err
 	}

+	// since assign is idempotant multiple calls to assign won't cause issues in case of retries, also we cannot run this in a transaction for now
+	err = module.authz.Grant(ctx, input.OrgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	if err != nil {
+		return err
+	}
+
+	createUserOpts := root.NewCreateUserOptions(opts...)
+
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
+			return err
+		}
+
+		// create user_role junction entries
+		if err := module.createUserRoleEntries(ctx, input); err != nil {
 			return err
 		}

@@ -291,7 +376,7 @@ func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ..
 }

 func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error) {
-	existingUser, err := m.store.GetUser(ctx, valuer.MustNewUUID(id))
+	existingUser, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
 	}
@@ -308,18 +393,21 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		return nil, errors.WithAdditionalf(err, "cannot update pending user")
 	}

-	requestor, err := m.store.GetUser(ctx, valuer.MustNewUUID(updatedBy))
+	requestor, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(updatedBy))
 	if err != nil {
 		return nil, err
 	}

-	if user.Role != "" && user.Role != existingUser.Role && requestor.Role != types.RoleAdmin {
+	grants, revokes := existingUser.PatchRoles(user.Roles)
+	rolesChanged := (len(grants) > 0) || (len(revokes) > 0)
+
+	if rolesChanged && !slices.Contains(requestor.Roles, authtypes.SigNozAdminRoleName) {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
 	}

 	// Make sure that the request is not demoting the last admin user.
-	if user.Role != "" && user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
-		adminUsers, err := m.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	if rolesChanged && slices.Contains(existingUser.Roles, authtypes.SigNozAdminRoleName) && !slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
+		adminUsers, err := m.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
 		if err != nil {
 			return nil, err
 		}
@@ -329,28 +417,49 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		}
 	}

-	if user.Role != "" && user.Role != existingUser.Role {
-		err = m.authz.ModifyGrant(ctx,
-			orgID,
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
-			authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
-		)
+	if rolesChanged {
+		// can't run in txn
+		err = m.authz.ModifyGrant(ctx, orgID, revokes, grants, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 		if err != nil {
 			return nil, err
 		}
 	}

-	existingUser.Update(user.DisplayName, user.Role)
-	if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
-		return nil, err
+	existingUser.Update(user.DisplayName, user.Role, user.Roles)
+	if rolesChanged {
+		err = m.store.RunInTx(ctx, func(ctx context.Context) error {
+			// update the user
+			if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+				return err
+			}
+
+			// delete old role entries and create new ones
+			if err := m.userRoleStore.DeleteUserRoles(ctx, existingUser.ID); err != nil {
+				return err
+			}
+
+			// create new ones
+			if err := m.createUserRoleEntries(ctx, existingUser); err != nil {
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// persist display name change even when roles haven't changed
+		if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+			return nil, err
+		}
 	}

 	return existingUser, nil
 }

 func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
-	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
+	storableUser := types.NewStorableUser(user)
+	if err := module.store.UpdateUser(ctx, orgID, storableUser); err != nil {
 		return err
 	}

@@ -366,7 +475,7 @@ func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user
 }

 func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(id))
+	user, err := module.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return err
 	}
@@ -384,17 +493,17 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	}

 	// don't allow to delete the last admin user
-	adminUsers, err := module.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	adminUsers, err := module.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
 	if err != nil {
 		return err
 	}

-	if len(adminUsers) == 1 && user.Role == types.RoleAdmin {
+	if len(adminUsers) == 1 && slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot delete the last admin")
 	}

 	// since revoke is idempotant multiple calls to revoke won't cause issues in case of retries
-	err = module.authz.Revoke(ctx, orgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, user.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 	if err != nil {
 		return err
 	}
@@ -411,8 +520,8 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	return nil
 }

-func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error) {
-	user, err := module.store.GetUser(ctx, userID)
+func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error) {
+	user, err := module.GetByOrgIDAndUserID(ctx, orgID, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -491,7 +600,7 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}

-	token, err := module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := module.GetOrCreateResetPasswordToken(ctx, orgID, user.ID)
 	if err != nil {
 		module.settings.Logger().ErrorContext(ctx, "failed to create reset password token", "error", err)
 		return err
@@ -534,17 +643,17 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}

-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
+	storableUser, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
 	if err != nil {
 		return err
 	}

 	// handle deleted user
-	if err := user.ErrIfDeleted(); err != nil {
+	if err := storableUser.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "deleted users cannot reset their password")
 	}

-	if err := user.ErrIfRoot(); err != nil {
+	if err := storableUser.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}

@@ -552,12 +661,19 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}

+	roleNames, err := module.resolveRoleNamesForUser(ctx, storableUser.ID, storableUser.OrgID)
+	if err != nil {
+		return err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
 	// since grant is idempotent, multiple calls won't cause issues in case of retries
 	if user.Status == types.UserStatusPendingInvite {
 		if err = module.authz.Grant(
 			ctx,
 			user.OrgID,
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+			user.Roles,
 			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		); err != nil {
 			return err
@@ -569,7 +685,7 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 			if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 				return err
 			}
-			if err := module.store.UpdateUser(ctx, user.OrgID, user); err != nil {
+			if err := module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user)); err != nil {
 				return err
 			}
 		}
@@ -587,16 +703,16 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 }

 func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
-	user, err := module.store.GetUser(ctx, userID)
+	storableUser, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return err
 	}

-	if err := user.ErrIfDeleted(); err != nil {
+	if err := storableUser.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for deleted user")
 	}

-	if err := user.ErrIfRoot(); err != nil {
+	if err := storableUser.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for root user")
 	}

@@ -642,7 +758,7 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 		// for users logging through SSO flow but are having status as pending_invite
 		if existingUser.Status == types.UserStatusPendingInvite {
 			// respect the role coming from the SSO
-			existingUser.Update("", user.Role)
+			existingUser.Update("", user.Role, user.Roles)
 			// activate the user
 			if err = module.activatePendingUser(ctx, existingUser); err != nil {
 				return nil, err
@@ -681,7 +797,7 @@ func (m *Module) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UU
 }

 func (module *Module) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
-	user, err := types.NewRootUser(name, email, organization.ID)
+	user, err := types.NewRootUser(name, email, organization.ID, []string{authtypes.SigNozAdminRoleName})
 	if err != nil {
 		return nil, err
 	}
@@ -743,20 +859,24 @@ func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin

 // this function restricts that only one non-deleted user email can exist for an org ID, if found more, it throws an error
 func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
-	existingUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
+	existingStorableUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		return nil, err
 	}

 	// filter out the deleted users
-	existingUsers = slices.DeleteFunc(existingUsers, func(user *types.User) bool { return user.ErrIfDeleted() != nil })
+	existingStorableUsers = slices.DeleteFunc(existingStorableUsers, func(user *types.StorableUser) bool { return user.ErrIfDeleted() != nil })

-	if len(existingUsers) > 1 {
+	if len(existingStorableUsers) > 1 {
 		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "Multiple non-deleted users found for email %s in org_id: %s", email.StringValue(), orgID.StringValue())
 	}

-	if len(existingUsers) == 1 {
-		return existingUsers[0], nil
+	if len(existingStorableUsers) == 1 {
+		existingUser, err := module.GetByOrgIDAndUserID(ctx, existingStorableUsers[0].OrgID, existingStorableUsers[0].ID)
+		if err != nil {
+			return nil, err
+		}
+		return existingUser, nil
 	}

 	return nil, errors.Newf(errors.TypeNotFound, errors.CodeNotFound, "No non-deleted user found with email %s in org_id: %s", email.StringValue(), orgID.StringValue())
@@ -766,7 +886,12 @@ func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, emai
 func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
 	createUserOpts := root.NewCreateUserOptions(opts...)
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
+			return err
+		}
+
+		// create user_role junction entries
+		if err := module.createUserRoleEntries(ctx, input); err != nil {
 			return err
 		}

@@ -788,11 +913,25 @@ func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.U
 	return nil
 }

+func (module *Module) createUserRoleEntries(ctx context.Context, user *types.User) error {
+	if len(user.Roles) == 0 {
+		return nil
+	}
+
+	storableRoles, err := module.authz.ListByOrgIDAndNames(ctx, user.OrgID, user.Roles)
+	if err != nil {
+		return err
+	}
+
+	userRoles := authtypes.NewStorableUserRoles(user.ID, storableRoles)
+	return module.userRoleStore.CreateUserRoles(ctx, userRoles)
+}
+
 func (module *Module) activatePendingUser(ctx context.Context, user *types.User) error {
 	err := module.authz.Grant(
 		ctx,
 		user.OrgID,
-		[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+		user.Roles,
 		authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 	)
 	if err != nil {
@@ -802,10 +941,59 @@ func (module *Module) activatePendingUser(ctx context.Context, user *types.User)
 	if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 		return err
 	}
-	err = module.store.UpdateUser(ctx, user.OrgID, user)
+	err = module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user))
 	if err != nil {
 		return err
 	}

 	return nil
 }
+
+func (module *Module) usersFromStorableUsersAndRolesMaps(storableUsers []*types.StorableUser, roles []*authtypes.Role, userIDToRoleIDsMap map[valuer.UUID][]valuer.UUID) []*types.User {
+	users := make([]*types.User, 0, len(storableUsers))
+
+	roleIDToRole := make(map[string]*authtypes.Role, len(roles))
+	for _, role := range roles {
+		roleIDToRole[role.ID.String()] = role
+	}
+
+	for _, user := range storableUsers {
+		roleIDs := userIDToRoleIDsMap[user.ID]
+
+		roleNames := make([]string, 0, len(roleIDs))
+		for _, rid := range roleIDs {
+			if role, ok := roleIDToRole[rid.String()]; ok {
+				roleNames = append(roleNames, role.Name)
+			}
+		}
+
+		account := types.NewUserFromStorable(user, roleNames)
+		users = append(users, account)
+	}
+
+	return users
+}
+
+func (m *Module) resolveRoleNamesForUser(ctx context.Context, userID valuer.UUID, orgID valuer.UUID) ([]string, error) {
+	storableUserRoles, err := m.userRoleStore.GetUserRolesByUserID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]valuer.UUID, len(storableUserRoles))
+	for idx, sur := range storableUserRoles {
+		roleIDs[idx] = sur.RoleID
+	}
+
+	roles, err := m.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames := make([]string, len(roles))
+	for idx, role := range roles {
+		roleNames[idx] = role.Name
+	}
+
+	return roleNames, nil
+}
--- a/pkg/modules/user/impluser/service.go
+++ b/pkg/modules/user/impluser/service.go
@@ -15,31 +15,34 @@ import (
 )

 type service struct {
-	settings  factory.ScopedProviderSettings
-	store     types.UserStore
-	module    user.Module
-	orgGetter organization.Getter
-	authz     authz.AuthZ
-	config    user.RootConfig
-	stopC     chan struct{}
+	settings      factory.ScopedProviderSettings
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	module        user.Module
+	orgGetter     organization.Getter
+	authz         authz.AuthZ
+	config        user.RootConfig
+	stopC         chan struct{}
 }

 func NewService(
 	providerSettings factory.ProviderSettings,
 	store types.UserStore,
+	userRoleStore authtypes.UserRoleStore,
 	module user.Module,
 	orgGetter organization.Getter,
 	authz authz.AuthZ,
 	config user.RootConfig,
 ) user.Service {
 	return &service{
-		settings:  factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
-		store:     store,
-		module:    module,
-		orgGetter: orgGetter,
-		authz:     authz,
-		config:    config,
-		stopC:     make(chan struct{}),
+		settings:      factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
+		store:         store,
+		userRoleStore: userRoleStore,
+		module:        module,
+		orgGetter:     orgGetter,
+		authz:         authz,
+		config:        config,
+		stopC:         make(chan struct{}),
 	}
 }

@@ -129,16 +132,16 @@ func (s *service) reconcileByName(ctx context.Context) error {
 }

 func (s *service) reconcileRootUser(ctx context.Context, orgID valuer.UUID) error {
-	existingRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	existingStorableRoot, err := s.getRootUserByOrgID(ctx, orgID)
 	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
 		return err
 	}

-	if existingRoot == nil {
+	if existingStorableRoot == nil {
 		return s.createOrPromoteRootUser(ctx, orgID)
 	}

-	return s.updateExistingRootUser(ctx, orgID, existingRoot)
+	return s.updateExistingRootUser(ctx, orgID, existingStorableRoot)
 }

 func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID) error {
@@ -148,29 +151,27 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 	}

 	if existingUser != nil {
-		oldRole := existingUser.Role
+		oldRoles := existingUser.Roles

-		existingUser.PromoteToRoot()
+		existingUser.PromoteToRoot() // this only sets the column is_root as true (permissions are managed by authz in next step)
 		if err := s.module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
 			return err
 		}

-		if oldRole != types.RoleAdmin {
-			if err := s.authz.ModifyGrant(ctx,
-				orgID,
-				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(oldRole)},
-				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin)},
-				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
-			); err != nil {
-				return err
-			}
+		if err := s.authz.ModifyGrant(ctx,
+			orgID,
+			oldRoles,
+			[]string{authtypes.SigNozAdminRoleName},
+			authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
+		); err != nil {
+			return err
 		}

 		return s.setPassword(ctx, existingUser.ID)
 	}

 	// Create new root user
-	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID)
+	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID, []string{authtypes.SigNozAdminRoleName})
 	if err != nil {
 		return err
 	}
@@ -180,6 +181,7 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		return err
 	}

+	// authz grants are handled inside CreateUser
 	return s.module.CreateUser(ctx, newUser, user.WithFactorPassword(factorPassword))
 }

@@ -221,3 +223,12 @@ func (s *service) setPassword(ctx context.Context, userID valuer.UUID) error {

 	return nil
 }
+
+func (s *service) getRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
+	storableRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	return s.module.GetByOrgIDAndUserID(ctx, orgID, storableRoot.ID)
+}
--- a/pkg/modules/user/impluser/store.go
+++ b/pkg/modules/user/impluser/store.go
@@ -39,7 +39,7 @@ func (store *store) CreatePassword(ctx context.Context, password *types.FactorPa
 	return nil
 }

-func (store *store) CreateUser(ctx context.Context, user *types.User) error {
+func (store *store) CreateUser(ctx context.Context, user *types.StorableUser) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -52,8 +52,8 @@ func (store *store) CreateUser(ctx context.Context, user *types.User) error {
 	return nil
 }

-func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	var users []*types.User
+func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser

 	err := store.
 		sqlstore.
@@ -69,8 +69,8 @@ func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]
 	return users, nil
 }

-func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)

 	err := store.
 		sqlstore.
@@ -86,8 +86,8 @@ func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, e
 	return user, nil
 }

-func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)

 	err := store.
 		sqlstore.
@@ -104,8 +104,8 @@ func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id v
 	return user, nil
 }

-func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
+func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser

 	err := store.
 		sqlstore.
@@ -122,26 +122,7 @@ func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Em
 	return users, nil
 }

-func (store *store) GetActiveUsersByRoleAndOrgID(ctx context.Context, role types.Role, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&users).
-		Where("org_id = ?", orgID).
-		Where("role = ?", role).
-		Where("status = ?", types.UserStatusActive.StringValue()).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.StorableUser) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -162,8 +143,8 @@ func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *typ
 	return nil
 }

-func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.GettableUser, error) {
-	users := []*types.User{}
+func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}

 	err := store.
 		sqlstore.
@@ -247,7 +228,7 @@ func (store *store) DeleteUser(ctx context.Context, orgID string, id string) err

 	// delete user
 	_, err = tx.NewDelete().
-		Model(new(types.User)).
+		Model(new(types.StorableUser)).
 		Where("org_id = ?", orgID).
 		Where("id = ?", id).
 		Exec(ctx)
@@ -332,7 +313,7 @@ func (store *store) SoftDeleteUser(ctx context.Context, orgID string, id string)
 	// soft delete user
 	now := time.Now()
 	_, err = tx.NewUpdate().
-		Model(new(types.User)).
+		Model(new(types.StorableUser)).
 		Set("status = ?", types.UserStatusDeleted).
 		Set("deleted_at = ?", now).
 		Set("updated_at = ?", now).
@@ -563,7 +544,7 @@ func (store *store) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*type
 }

 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)

 	count, err := store.
 		sqlstore.
@@ -580,7 +561,7 @@ func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64,
 }

 func (store *store) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)
 	var results []struct {
 		Status valuer.String `bun:"status"`
 		Count  int64         `bun:"count"`
@@ -633,8 +614,8 @@ func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) er
 	})
 }

-func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -649,8 +630,8 @@ func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (
 	return user, nil
 }

-func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users := []*types.User{}
+func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}
 	err := store.
 		sqlstore.
 		BunDB().
@@ -666,15 +647,15 @@ func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.
 	return users, nil
 }

-func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.StorableUser, error) {
+	user := new(types.StorableUser)

 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
 		NewSelect().
 		Model(user).
-		Join(`JOIN factor_password ON factor_password.user_id = "user".id`).
+		Join(`JOIN factor_password ON factor_password.user_id = "users".id`).
 		Join("JOIN reset_password_token ON reset_password_token.password_id = factor_password.id").
 		Where("reset_password_token.token = ?", token).
 		Scan(ctx)
@@ -685,8 +666,8 @@ func (store *store) GetUserByResetPasswordToken(ctx context.Context, token strin
 	return user, nil
 }

-func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.User, error) {
-	users := []*types.User{}
+func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}

 	err := store.
 		sqlstore.
@@ -703,3 +684,20 @@ func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID

 	return users, nil
 }
+
+func (store *store) GetActiveUsersByRoleNameAndOrgID(ctx context.Context, roleName string, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().
+		Model(&users).
+		Join("JOIN user_role ON user_role.user_id = users.id").
+		Join("JOIN role ON role.id = user_role.role_id").
+		Where("users.org_id = ?", orgID).
+		Where("role.name = ?", roleName).
+		Where("users.status = ?", types.UserStatusActive.StringValue()).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return users, nil
+}
--- a/pkg/modules/user/impluser/userrolestore.go
+++ b/pkg/modules/user/impluser/userrolestore.go
@@ -0,0 +1,62 @@
+package impluser
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+type userRoleStore struct {
+	sqlstore sqlstore.SQLStore
+	settings factory.ProviderSettings
+}
+
+func NewUserRoleStore(sqlstore sqlstore.SQLStore, settings factory.ProviderSettings) authtypes.UserRoleStore {
+	return &userRoleStore{sqlstore: sqlstore, settings: settings}
+}
+
+func (store *userRoleStore) ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*authtypes.StorableUserRole, error) {
+	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).
+		Join("JOIN users").
+		JoinOn("users.id = user_role.user_id").
+		Where("users.org_id = ?", orgID).Where("users.id IN (?)", bun.In(userIDs)).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storableUserRoles, nil
+}
+
+func (store *userRoleStore) CreateUserRoles(ctx context.Context, userRoles []*authtypes.StorableUserRole) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).NewInsert().Model(&userRoles).Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, authtypes.ErrCodeUserRoleAlreadyExists, "duplicate role assignments for service account")
+	}
+	return nil
+}
+
+func (store *userRoleStore) DeleteUserRoles(ctx context.Context, userID valuer.UUID) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).NewDelete().Model(new(authtypes.StorableUserRole)).Where("user_id = ?", userID).Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *userRoleStore) GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*authtypes.StorableUserRole, error) {
+	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).Where("user_id = ?", userID).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storableUserRoles, nil
+}
--- a/pkg/modules/user/user.go
+++ b/pkg/modules/user/user.go
@@ -10,6 +10,12 @@ import (
 )

 type Module interface {
+	// Gets user by org id and user id, this includes the roles resolution
+	GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error)
+
+	// Lists all the users by org id, no filters applied and includes roles resolution
+	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error)
+
 	// Creates the organization and the first user of that organization.
 	CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, password string) (*types.User, error)

@@ -21,7 +27,7 @@ type Module interface {

 	// Get or Create a reset password token for a user. If the password does not exist, a new one is randomly generated and inserted. The function
 	// is idempotent and can be called multiple times.
-	GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error)
+	GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error)

 	// Updates password of a user using a reset password token. It also deletes all reset password tokens for the user.
 	// This is used to reset the password of a user when they forget their password.
@@ -58,22 +64,13 @@ type Module interface {
 }

 type Getter interface {
-	// Get root user by org id.
-	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, error)
-
 	// Get gets the users based on the given id
 	ListByOrgID(context.Context, valuer.UUID) ([]*types.User, error)

-	// Get users by email.
-	GetUsersByEmail(context.Context, valuer.Email) ([]*types.User, error)
-
-	// Get user by orgID and id.
-	GetByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.User, error)
-
 	// Get user by id.
 	Get(context.Context, valuer.UUID) (*types.User, error)

-	// List users by email and org ids.
+	// List users by email and org ids. This does not includes roles resolution as this is only used for session context
 	ListUsersByEmailAndOrgIDs(context.Context, valuer.Email, []valuer.UUID) ([]*types.User, error)

 	// Count users by org id.
--- a/pkg/signoz/handler_test.go
+++ b/pkg/signoz/handler_test.go
@@ -48,9 +48,11 @@ func TestNewHandlers(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)

-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)

-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore, flagger)

 	querierHandler := querier.NewHandler(providerSettings, nil, nil)
 	handlers := NewHandlers(modules, providerSettings, nil, querierHandler, nil, nil, nil, nil, nil, nil, nil)
--- a/pkg/signoz/module.go
+++ b/pkg/signoz/module.go
@@ -8,6 +8,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/apdex"
 	"github.com/SigNoz/signoz/pkg/modules/apdex/implapdex"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -89,10 +90,12 @@ func NewModules(
 	config Config,
 	dashboard dashboard.Module,
 	userGetter user.Getter,
+	userRoleStore authtypes.UserRoleStore,
+	flagger flagger.Flagger,
 ) Modules {
 	quickfilter := implquickfilter.NewModule(implquickfilter.NewStore(sqlstore))
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
-	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User)
+	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), userRoleStore, tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User, flagger)
 	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)

 	return Modules{
@@ -108,7 +111,7 @@ func NewModules(
 		TraceFunnel:     impltracefunnel.NewModule(impltracefunnel.NewStore(sqlstore)),
 		RawDataExport:   implrawdataexport.NewModule(querier),
 		AuthDomain:      implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs),
-		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter),
+		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter, authz),
 		SpanPercentile:  implspanpercentile.NewModule(querier, providerSettings),
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
--- a/pkg/signoz/module_test.go
+++ b/pkg/signoz/module_test.go
@@ -47,9 +47,11 @@ func TestNewModules(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)

-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)

-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore, flagger)

 	reflectVal := reflect.ValueOf(modules)
 	for i := 0; i < reflectVal.NumField(); i++ {
--- a/pkg/signoz/provider.go
+++ b/pkg/signoz/provider.go
@@ -175,6 +175,8 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewMigrateRulesV4ToV5Factory(sqlstore, telemetryStore),
 		sqlmigration.NewAddStatusUserFactory(sqlstore, sqlschema),
 		sqlmigration.NewDeprecateUserInviteFactory(sqlstore, sqlschema),
+		sqlmigration.NewAddUserRoleFactory(sqlstore, sqlschema),
+		sqlmigration.NewAddUserRoleAuthzFactory(sqlstore),
 	)
 }

--- a/pkg/signoz/provider_test.go
+++ b/pkg/signoz/provider_test.go
@@ -1,13 +1,11 @@
 package signoz

 import (
-	"context"
 	"testing"

 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/SigNoz/signoz/pkg/alertmanager/nfmanager/nfmanagertest"
 	"github.com/SigNoz/signoz/pkg/analytics"
-	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
@@ -77,12 +75,7 @@ func TestNewProviderFactories(t *testing.T) {
 	})

 	assert.NotPanics(t, func() {
-		flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
-		if err != nil {
-			panic(err)
-		}
-
-		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()), flagger)
+		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()))
 		orgGetter := implorganization.NewGetter(implorganization.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual)), nil)
 		telemetryStore := telemetrystoretest.New(telemetrystore.Config{Provider: "clickhouse"}, sqlmock.QueryMatcherEqual)
 		NewStatsReporterProviderFactories(telemetryStore, []statsreporter.StatsCollector{}, orgGetter, userGetter, tokenizertest.NewMockTokenizer(t), version.Build{}, analytics.Config{Enabled: true})
--- a/pkg/signoz/signoz.go
+++ b/pkg/signoz/signoz.go
@@ -281,8 +281,14 @@ func New(
 		return nil, err
 	}

+	// Initialize user store
+	userStore := impluser.NewStore(sqlstore, providerSettings)
+
+	// Initialize user role store
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
+
 	// Initialize user getter
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userGetter := impluser.NewGetter(userStore)

 	licensingProviderFactory := licenseProviderFactory(sqlstore, zeus, orgGetter, analytics)
 	licensing, err := licensingProviderFactory.New(
@@ -390,7 +396,7 @@ func New(
 	}

 	// Initialize all modules
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter, userRoleStore, flagger)

 	// Initialize identN resolver
 	identNFactories := NewIdentNProviderFactories(sqlstore, tokenizer)
@@ -404,7 +410,7 @@ func New(
 	}
 	identNResolver := identn.NewIdentNResolver(providerSettings, identNs...)

-	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.User, orgGetter, authz, config.User.Root)
+	userService := impluser.NewService(providerSettings, userStore, userRoleStore, modules.User, orgGetter, authz, config.User.Root)

 	// Initialize the querier handler via callback (allows EE to decorate with anomaly detection)
 	querierHandler := querierHandlerCallback(providerSettings, querier, analytics)
--- a/pkg/sqlmigration/037_add_trace_funnels.go
+++ b/pkg/sqlmigration/037_add_trace_funnels.go
@@ -2,6 +2,7 @@ package sqlmigration

 import (
 	"context"
+
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -16,12 +17,12 @@ type funnel struct {
 	types.Identifiable // funnel id
 	types.TimeAuditable
 	types.UserAuditable
-	Name          string       `json:"funnel_name" bun:"name,type:text,notnull"` // funnel name
-	Description   string       `json:"description" bun:"description,type:text"`  // funnel description
-	OrgID         valuer.UUID  `json:"org_id" bun:"org_id,type:varchar,notnull"`
-	Steps         []funnelStep `json:"steps" bun:"steps,type:text,notnull"`
-	Tags          string       `json:"tags" bun:"tags,type:text"`
-	CreatedByUser *types.User  `json:"user" bun:"rel:belongs-to,join:created_by=id"`
+	Name          string              `json:"funnel_name" bun:"name,type:text,notnull"` // funnel name
+	Description   string              `json:"description" bun:"description,type:text"`  // funnel description
+	OrgID         valuer.UUID         `json:"org_id" bun:"org_id,type:varchar,notnull"`
+	Steps         []funnelStep        `json:"steps" bun:"steps,type:text,notnull"`
+	Tags          string              `json:"tags" bun:"tags,type:text"`
+	CreatedByUser *types.StorableUser `json:"user" bun:"rel:belongs-to,join:created_by=id"`
 }

 type funnelStep struct {
--- a/pkg/sqlmigration/069_add_user_role.go
+++ b/pkg/sqlmigration/069_add_user_role.go
@@ -0,0 +1,197 @@
+package sqlmigration
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+var (
+	userRoleToSigNozManagedRoleMap = map[string]string{
+		"ADMIN":  "signoz-admin",
+		"EDITOR": "signoz-editor",
+		"VIEWER": "signoz-viewer",
+	}
+)
+
+type userRow struct {
+	ID    string `bun:"id"`
+	Role  string `bun:"role"`
+	OrgID string `bun:"org_id"`
+}
+
+type roleRow struct {
+	ID    string `bun:"id"`
+	Name  string `bun:"name"`
+	OrgID string `bun:"org_id"`
+}
+
+type orgRoleKey struct {
+	OrgID    string
+	RoleName string
+}
+
+type addUserRole struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+type userRoleRow struct {
+	bun.BaseModel `bun:"table:user_role"`
+
+	types.Identifiable
+	UserID string `bun:"user_id"`
+	RoleID string `bun:"role_id"`
+	types.TimeAuditable
+}
+
+func NewAddUserRoleFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_user_role"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addUserRole{
+			sqlstore:  sqlstore,
+			sqlschema: sqlschema,
+		}, nil
+	})
+}
+
+func (migration *addUserRole) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRole) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	sqls := [][]byte{}
+
+	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "user_role",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "user_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "role_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("user_id"),
+				ReferencedTableName:   sqlschema.TableName("users"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+			{
+				ReferencingColumnName: sqlschema.ColumnName("role_id"),
+				ReferencedTableName:   sqlschema.TableName("role"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs := migration.sqlschema.Operator().CreateIndex(
+		&sqlschema.UniqueIndex{
+			TableName:   "user_role",
+			ColumnNames: []sqlschema.ColumnName{"user_id", "role_id"},
+		},
+	)
+
+	sqls = append(sqls, indexSQLs...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	// fill the new user_role table for existing users
+	var users []userRow
+	err = tx.NewSelect().TableExpr("users").ColumnExpr("id, role, org_id").Scan(ctx, &users)
+	if err != nil {
+		return err
+	}
+
+	if len(users) == 0 {
+		return tx.Commit()
+	}
+
+	orgIDs := make(map[string]struct{})
+	for _, u := range users {
+		orgIDs[u.OrgID] = struct{}{}
+	}
+
+	orgIDList := make([]string, 0, len(orgIDs))
+	for oid := range orgIDs {
+		orgIDList = append(orgIDList, oid)
+	}
+
+	var roles []roleRow
+	err = tx.NewSelect().TableExpr("role").ColumnExpr("id, name, org_id").Where("org_id IN (?)", bun.In(orgIDList)).Scan(ctx, &roles)
+	if err != nil {
+		return err
+	}
+
+	roleMap := make(map[orgRoleKey]string)
+	for _, r := range roles {
+		roleMap[orgRoleKey{OrgID: r.OrgID, RoleName: r.Name}] = r.ID
+	}
+
+	now := time.Now()
+	userRoles := make([]*userRoleRow, 0, len(users))
+	for _, u := range users {
+		managedRoleName, ok := userRoleToSigNozManagedRoleMap[u.Role]
+		if !ok {
+			managedRoleName = "signoz-viewer" // fallback
+		}
+		roleID, ok := roleMap[orgRoleKey{OrgID: u.OrgID, RoleName: managedRoleName}]
+		if !ok {
+			continue // user needs to get access again
+		}
+
+		userRoles = append(userRoles, &userRoleRow{
+			Identifiable: types.Identifiable{ID: valuer.GenerateUUID()},
+			UserID:       u.ID,
+			RoleID:       roleID,
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: now,
+				UpdatedAt: now,
+			},
+		})
+	}
+
+	if len(userRoles) > 0 {
+		if _, err := tx.NewInsert().Model(&userRoles).Exec(ctx); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRole) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}
--- a/pkg/sqlmigration/070_add_user_role_authz.go
+++ b/pkg/sqlmigration/070_add_user_role_authz.go
@@ -0,0 +1,156 @@
+package sqlmigration
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/oklog/ulid/v2"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/dialect"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addUserRoleAuthz struct {
+	sqlstore sqlstore.SQLStore
+}
+
+func NewAddUserRoleAuthzFactory(sqlstore sqlstore.SQLStore) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_user_role_authz"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addUserRoleAuthz{sqlstore: sqlstore}, nil
+	})
+}
+
+func (migration *addUserRoleAuthz) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRoleAuthz) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	var storeID string
+	err = tx.QueryRowContext(ctx, `SELECT id FROM store WHERE name = ? LIMIT 1`, "signoz").Scan(&storeID)
+	if err != nil {
+		return err
+	}
+
+	type userRoleTuple struct {
+		UserID   string
+		OrgID    string
+		RoleName string
+	}
+
+	rows, err := tx.QueryContext(ctx, `
+		SELECT u.id, u.org_id, r.name
+		FROM users u
+		JOIN user_role ur ON ur.user_id = u.id
+		JOIN role r ON r.id = ur.role_id
+		WHERE u.status != 'deleted'
+	`)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return tx.Commit()
+		}
+		return err
+	}
+	defer rows.Close()
+
+	tuples := make([]userRoleTuple, 0)
+	for rows.Next() {
+		var t userRoleTuple
+		if err := rows.Scan(&t.UserID, &t.OrgID, &t.RoleName); err != nil {
+			return err
+		}
+		tuples = append(tuples, t)
+	}
+
+	if err := rows.Err(); err != nil {
+		return err
+	}
+
+	entropy := ulid.DefaultEntropy()
+	for _, t := range tuples {
+		now := time.Now().UTC()
+		tupleID := ulid.MustNew(ulid.Timestamp(now), entropy).String()
+
+		objectID := "organization/" + t.OrgID + "/role/" + t.RoleName
+		userID := "organization/" + t.OrgID + "/user/" + t.UserID
+
+		if migration.sqlstore.BunDB().Dialect().Name() == dialect.PG {
+			result, err := tx.ExecContext(ctx, `
+				INSERT INTO tuple (store, object_type, object_id, relation, _user, user_type, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, object_type, object_id, relation, _user) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user:"+userID, "user", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+
+			rowsAffected, err := result.RowsAffected()
+			if err != nil {
+				return err
+			}
+			if rowsAffected == 0 {
+				continue
+			}
+
+			_, err = tx.ExecContext(ctx, `
+				INSERT INTO changelog (store, object_type, object_id, relation, _user, operation, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user:"+userID, "TUPLE_OPERATION_WRITE", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+		} else {
+			result, err := tx.ExecContext(ctx, `
+				INSERT INTO tuple (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, user_type, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user", userID, "", "user", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+
+			rowsAffected, err := result.RowsAffected()
+			if err != nil {
+				return err
+			}
+			if rowsAffected == 0 {
+				continue
+			}
+
+			_, err = tx.ExecContext(ctx, `
+				INSERT INTO changelog (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, operation, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user", userID, "", 0, tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return tx.Commit()
+}
+
+func (migration *addUserRoleAuthz) Down(context.Context, *bun.DB) error {
+	return nil
+}
--- a/pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go
+++ b/pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go
@@ -34,7 +34,7 @@ func (store *store) Create(ctx context.Context, token *authtypes.StorableToken)
 }

 func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID) (*authtypes.Identity, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)

 	err := store.
 		sqlstore.
--- a/pkg/types/authtypes/authn.go
+++ b/pkg/types/authtypes/authn.go
@@ -128,7 +128,7 @@ func (typ *Identity) ToClaims() Claims {

 type AuthNStore interface {
 	// Get user and factor password by email and orgID.
-	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error)
+	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error)

 	// Get org domain from id.
 	GetAuthDomainFromID(ctx context.Context, domainID valuer.UUID) (*AuthDomain, error)
--- a/pkg/types/authtypes/mapping.go
+++ b/pkg/types/authtypes/mapping.go
@@ -83,44 +83,62 @@ func (typ *RoleMapping) UnmarshalJSON(data []byte) error {
 	return nil
 }

-func (roleMapping *RoleMapping) NewRoleFromCallbackIdentity(callbackIdentity *CallbackIdentity) types.Role {
+func (roleMapping *RoleMapping) ManagedRolesFromCallbackIdentity(callbackIdentity *CallbackIdentity) (types.Role, []string) {
 	if roleMapping == nil {
-		return types.RoleViewer
+		return types.RoleViewer, []string{SigNozViewerRoleName}
 	}

 	if roleMapping.UseRoleAttribute && callbackIdentity.Role != "" {
-		if role, err := types.NewRole(strings.ToUpper(callbackIdentity.Role)); err == nil {
-			return role
+		legacyRole, err := types.NewRole(strings.ToUpper(callbackIdentity.Role))
+		if err != nil {
+			return types.RoleViewer, []string{SigNozViewerRoleName}
+		}
+		if managedRole := resolveToManagedRole(callbackIdentity.Role); managedRole != "" {
+			return legacyRole, []string{managedRole}
 		}
 	}

 	if len(roleMapping.GroupMappings) > 0 && len(callbackIdentity.Groups) > 0 {
-		highestRole := types.RoleViewer
-		found := false
-
+		highestLegacyRole := types.RoleViewer
 		for _, group := range callbackIdentity.Groups {
 			if mappedRole, exists := roleMapping.GroupMappings[group]; exists {
-				found = true
 				if role, err := types.NewRole(strings.ToUpper(mappedRole)); err == nil {
-					if compareRoles(role, highestRole) > 0 {
-						highestRole = role
+					if compareRoles(role, highestLegacyRole) > 0 {
+						highestLegacyRole = role
 					}
 				}
 			}
 		}

-		if found {
-			return highestRole
+		seen := make(map[string]struct{})
+		var roles []string
+		for _, group := range callbackIdentity.Groups {
+			if mappedRole, exists := roleMapping.GroupMappings[group]; exists {
+				managedRole := resolveToManagedRole(mappedRole)
+				if managedRole != "" {
+					if _, ok := seen[managedRole]; !ok {
+						seen[managedRole] = struct{}{}
+						roles = append(roles, managedRole)
+					}
+				}
+			}
+		}
+		if len(roles) > 0 {
+			return highestLegacyRole, roles
 		}
 	}

 	if roleMapping.DefaultRole != "" {
-		if role, err := types.NewRole(strings.ToUpper(roleMapping.DefaultRole)); err == nil {
-			return role
+		legacyRole, err := types.NewRole(strings.ToUpper(roleMapping.DefaultRole))
+		if err != nil {
+			return types.RoleViewer, []string{SigNozViewerRoleName}
+		}
+		if managedRole := resolveToManagedRole(roleMapping.DefaultRole); managedRole != "" {
+			return legacyRole, []string{managedRole}
 		}
 	}

-	return types.RoleViewer
+	return types.RoleViewer, []string{SigNozViewerRoleName}
 }

 func compareRoles(a, b types.Role) int {
@@ -131,3 +149,12 @@ func compareRoles(a, b types.Role) int {
 	}
 	return order[a] - order[b]
 }
+
+func resolveToManagedRole(role string) string {
+	// backward compatible legacy role (ADMIN -> signoz-admin) useful in case of SSO
+	if legacyRole, err := types.NewRole(strings.ToUpper(role)); err == nil {
+		return MustGetSigNozManagedRoleFromExistingRole(legacyRole)
+	}
+
+	return role
+}
--- a/pkg/types/authtypes/user_role.go
+++ b/pkg/types/authtypes/user_role.go
@@ -0,0 +1,104 @@
+package authtypes
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+var (
+	ErrCodeUserRoleAlreadyExists = errors.MustNewCode("user_role_already_exists")
+)
+
+type StorableUserRole struct {
+	bun.BaseModel `bun:"table:user_role,alias:user_role"`
+
+	types.Identifiable
+
+	UserID valuer.UUID `bun:"user_id"`
+	RoleID valuer.UUID `bun:"role_id"`
+
+	types.TimeAuditable
+}
+
+func newStorableUserRole(userID valuer.UUID, roleID valuer.UUID) *StorableUserRole {
+	return &StorableUserRole{
+		Identifiable: types.Identifiable{
+			ID: valuer.GenerateUUID(),
+		},
+		UserID: userID,
+		RoleID: roleID,
+		TimeAuditable: types.TimeAuditable{
+			CreatedAt: time.Now(),
+			UpdatedAt: time.Now(),
+		},
+	}
+}
+
+func NewStorableUserRoles(userID valuer.UUID, roles []*Role) []*StorableUserRole {
+	storableUserRoles := make([]*StorableUserRole, len(roles))
+
+	for idx, role := range roles {
+		storableUserRoles[idx] = newStorableUserRole(userID, role.ID)
+	}
+
+	return storableUserRoles
+}
+
+func GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles []*StorableUserRole) (map[valuer.UUID][]valuer.UUID, []valuer.UUID) {
+	userIDRoles := make(map[valuer.UUID][]valuer.UUID)
+	uniqueRoleIDSet := make(map[valuer.UUID]struct{})
+
+	for _, userRole := range storableUserRoles {
+		userID := userRole.UserID
+		if _, ok := userIDRoles[userID]; !ok {
+			userIDRoles[userID] = make([]valuer.UUID, 0)
+		}
+		roleUUID := userRole.RoleID
+		userIDRoles[userID] = append(userIDRoles[userID], roleUUID)
+		uniqueRoleIDSet[userRole.RoleID] = struct{}{}
+	}
+
+	roleIDs := make([]valuer.UUID, 0, len(uniqueRoleIDSet))
+	for rid := range uniqueRoleIDSet {
+		roleIDs = append(roleIDs, rid)
+	}
+
+	return userIDRoles, roleIDs
+}
+
+func NewRoleNamesFromStorableUserRoles(storableUserRoles []*StorableUserRole, roles []*Role) ([]string, error) {
+	roleIDToName := make(map[valuer.UUID]string, len(roles))
+	for _, role := range roles {
+		roleIDToName[role.ID] = role.Name
+	}
+
+	names := make([]string, 0, len(storableUserRoles))
+	for _, storableUserRole := range storableUserRoles {
+		roleName, ok := roleIDToName[storableUserRole.RoleID]
+		if !ok {
+			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "role id %s not found in provided roles", storableUserRole.RoleID)
+		}
+		names = append(names, roleName)
+	}
+
+	return names, nil
+}
+
+type UserRoleStore interface {
+	// create user roles in bulk
+	CreateUserRoles(ctx context.Context, userRoles []*StorableUserRole) error
+
+	// get user roles by user id
+	GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*StorableUserRole, error)
+
+	// list all user_role entries for
+	ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*StorableUserRole, error)
+
+	// delete user role entries by user id
+	DeleteUserRoles(ctx context.Context, userID valuer.UUID) error
+}
--- a/pkg/types/factor_api_key.go
+++ b/pkg/types/factor_api_key.go
@@ -39,15 +39,15 @@ type OrgUserAPIKey struct {
 }

 type UserWithAPIKey struct {
-	*User   `bun:",extend"`
-	APIKeys []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
+	*StorableUser `bun:",extend"`
+	APIKeys       []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
 }

 type StorableAPIKeyUser struct {
 	StorableAPIKey `bun:",extend"`

-	CreatedByUser *User `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
-	UpdatedByUser *User `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
+	CreatedByUser *StorableUser `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
+	UpdatedByUser *StorableUser `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
 }

 type StorableAPIKey struct {
@@ -138,7 +138,7 @@ func NewGettableAPIKeyFromStorableAPIKey(storableAPIKey *StorableAPIKeyUser) *Ge
 		LastUsed:      lastUsed,
 		Revoked:       storableAPIKey.Revoked,
 		UserID:        storableAPIKey.UserID.String(),
-		CreatedByUser: storableAPIKey.CreatedByUser,
-		UpdatedByUser: storableAPIKey.UpdatedByUser,
+		CreatedByUser: NewUserFromStorable(storableAPIKey.CreatedByUser, make([]string, 0)), // factor api key will be removed
+		UpdatedByUser: NewUserFromStorable(storableAPIKey.UpdatedByUser, make([]string, 0)), // factor api key will be removed
 	}
 }
--- a/pkg/types/invite.go
+++ b/pkg/types/invite.go
@@ -25,6 +25,7 @@ type Invite struct {
 	Email valuer.Email `bun:"email,type:text" json:"email"`
 	Token string       `bun:"token,type:text" json:"token"`
 	Role  Role         `bun:"role,type:text" json:"role"`
+	Roles []string     `bun:"roles,type:text" json:"roles"`
 	OrgID valuer.UUID  `bun:"org_id,type:text" json:"orgId"`

 	InviteLink string `bun:"-" json:"inviteLink"`
@@ -50,6 +51,7 @@ type PostableInvite struct {
 	Name            string       `json:"name"`
 	Email           valuer.Email `json:"email"`
 	Role            Role         `json:"role"`
+	Roles           []string     `json:"roles"`
 	FrontendBaseUrl string       `json:"frontendBaseUrl"`
 }

@@ -83,7 +85,7 @@ type GettableCreateInviteResponse struct {
 	InviteToken string `json:"token"`
 }

-func NewInvite(name string, role Role, orgID valuer.UUID, email valuer.Email) (*Invite, error) {
+func NewInvite(name string, role Role, roles []string, orgID valuer.UUID, email valuer.Email) (*Invite, error) {
 	invite := &Invite{
 		Identifiable: Identifiable{
 			ID: valuer.GenerateUUID(),
@@ -92,6 +94,7 @@ func NewInvite(name string, role Role, orgID valuer.UUID, email valuer.Email) (*
 		Email: email,
 		Token: valuer.GenerateUUID().String(),
 		Role:  role,
+		Roles: roles,
 		OrgID: orgID,
 		TimeAuditable: TimeAuditable{
 			CreatedAt: time.Now(),
--- a/pkg/types/tracefunneltypes/tracefunnel.go
+++ b/pkg/types/tracefunneltypes/tracefunnel.go
@@ -18,12 +18,12 @@ type StorableFunnel struct {
 	types.TimeAuditable
 	types.UserAuditable
 	bun.BaseModel `bun:"table:trace_funnel"`
-	Name          string        `json:"funnel_name" bun:"name,type:text,notnull"`
-	Description   string        `json:"description" bun:"description,type:text"`
-	OrgID         valuer.UUID   `json:"org_id" bun:"org_id,type:varchar,notnull"`
-	Steps         []*FunnelStep `json:"steps" bun:"steps,type:text,notnull"`
-	Tags          string        `json:"tags" bun:"tags,type:text"`
-	CreatedByUser *types.User   `json:"user" bun:"rel:belongs-to,join:created_by=id"`
+	Name          string              `json:"funnel_name" bun:"name,type:text,notnull"`
+	Description   string              `json:"description" bun:"description,type:text"`
+	OrgID         valuer.UUID         `json:"org_id" bun:"org_id,type:varchar,notnull"`
+	Steps         []*FunnelStep       `json:"steps" bun:"steps,type:text,notnull"`
+	Tags          string              `json:"tags" bun:"tags,type:text"`
+	CreatedByUser *types.StorableUser `json:"user" bun:"rel:belongs-to,join:created_by=id"`
 }

 type FunnelStep struct {
--- a/pkg/types/tracefunneltypes/utils_test.go
+++ b/pkg/types/tracefunneltypes/utils_test.go
@@ -443,7 +443,7 @@ func TestConstructFunnelResponse(t *testing.T) {
 				},
 				Name:  "test-funnel",
 				OrgID: orgID,
-				CreatedByUser: &types.User{
+				CreatedByUser: &types.StorableUser{
 					Identifiable: types.Identifiable{
 						ID: userID,
 					},
--- a/pkg/types/user.go
+++ b/pkg/types/user.go
@@ -33,10 +33,21 @@ var (
 	ValidUserStatus         = []valuer.String{UserStatusPendingInvite, UserStatusActive, UserStatusDeleted}
 )

-type GettableUser = User
-
 type User struct {
-	bun.BaseModel `bun:"table:users"`
+	Identifiable
+	DisplayName string        `json:"displayName"`
+	Email       valuer.Email  `json:"email"`
+	Role        Role          `json:"role"`
+	Roles       []string      `json:"roles"`
+	OrgID       valuer.UUID   `json:"orgId"`
+	IsRoot      bool          `json:"isRoot"`
+	Status      valuer.String `json:"status"`
+	DeletedAt   time.Time     `json:"-"`
+	TimeAuditable
+}
+
+type StorableUser struct {
+	bun.BaseModel `bun:"table:users,alias:users"`

 	Identifiable
 	DisplayName string        `bun:"display_name" json:"displayName"`
@@ -57,7 +68,59 @@ type PostableRegisterOrgAndAdmin struct {
 	OrgName        string       `json:"orgName"`
 }

-func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUID, status valuer.String) (*User, error) {
+func NewStorableUser(user *User) *StorableUser {
+	if user == nil {
+		return nil
+	}
+
+	return &StorableUser{
+		Identifiable:  user.Identifiable,
+		DisplayName:   user.DisplayName,
+		Email:         user.Email,
+		Role:          user.Role,
+		OrgID:         user.OrgID,
+		IsRoot:        user.IsRoot,
+		Status:        user.Status,
+		DeletedAt:     user.DeletedAt,
+		TimeAuditable: user.TimeAuditable,
+	}
+}
+
+func NewUserFromStorable(storableUser *StorableUser, roleNames []string) *User {
+	if storableUser == nil {
+		return nil
+	}
+	return &User{
+		Identifiable:  storableUser.Identifiable,
+		DisplayName:   storableUser.DisplayName,
+		Email:         storableUser.Email,
+		Role:          storableUser.Role,
+		Roles:         roleNames,
+		OrgID:         storableUser.OrgID,
+		IsRoot:        storableUser.IsRoot,
+		Status:        storableUser.Status,
+		DeletedAt:     storableUser.DeletedAt,
+		TimeAuditable: storableUser.TimeAuditable,
+	}
+}
+
+// func NewUsersFromStorables(storableUsers []*StorableUser) []*User {
+// 	users := make([]*User, len(storableUsers))
+// 	for i, s := range storableUsers {
+// 		users[i] = NewUserFromStorable(s)
+// 	}
+// 	return users
+// }
+
+func NewStorableUsers(users []*User) []*StorableUser {
+	storableUsers := make([]*StorableUser, len(users))
+	for i, u := range users {
+		storableUsers[i] = NewStorableUser(u)
+	}
+	return storableUsers
+}
+
+func NewUser(displayName string, email valuer.Email, role Role, roles []string, orgID valuer.UUID, status valuer.String) (*User, error) {
 	if email.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
 	}
@@ -81,6 +144,7 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 		DisplayName: displayName,
 		Email:       email,
 		Role:        role,
+		Roles:       roles,
 		OrgID:       orgID,
 		IsRoot:      false,
 		Status:      status,
@@ -91,7 +155,7 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 	}, nil
 }

-func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*User, error) {
+func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID, roleNames []string) (*User, error) {
 	if email.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
 	}
@@ -107,6 +171,7 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*Us
 		DisplayName: displayName,
 		Email:       email,
 		Role:        RoleAdmin,
+		Roles:       roleNames,
 		OrgID:       orgID,
 		IsRoot:      true,
 		Status:      UserStatusActive,
@@ -119,13 +184,10 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*Us

 // Update applies mutable fields from the input to the user. Immutable fields
 // (email, is_root, org_id, id) are preserved. Only non-zero input fields are applied.
-func (u *User) Update(displayName string, role Role) {
-	if displayName != "" {
-		u.DisplayName = displayName
-	}
-	if role != "" {
-		u.Role = role
-	}
+func (u *User) Update(displayName string, role Role, roles []string) {
+	u.DisplayName = displayName
+	u.Role = role
+	u.Roles = roles
 	u.UpdatedAt = time.Now()
 }

@@ -168,6 +230,15 @@ func (u *User) ErrIfRoot() error {
 	return nil
 }

+// ErrIfRoot returns an error if the user is a root user. The caller should
+// enrich the error with the specific operation using errors.WithAdditionalf.
+func (u *StorableUser) ErrIfRoot() error {
+	if u.IsRoot {
+		return errors.New(errors.TypeUnsupported, ErrCodeRootUserOperationUnsupported, "this operation is not supported for the root user")
+	}
+	return nil
+}
+
 // ErrIfDeleted returns an error if the user is in deleted state.
 // This error can be enriched with specific operation by the called using errors.WithAdditionalf
 func (u *User) ErrIfDeleted() error {
@@ -177,6 +248,15 @@ func (u *User) ErrIfDeleted() error {
 	return nil
 }

+// ErrIfDeleted returns an error if the user is in deleted state.
+// This error can be enriched with specific operation by the called using errors.WithAdditionalf
+func (u *StorableUser) ErrIfDeleted() error {
+	if u.Status == UserStatusDeleted {
+		return errors.New(errors.TypeUnsupported, ErrCodeUserStatusDeleted, "unsupported operation for deleted user")
+	}
+	return nil
+}
+
 // ErrIfPending returns an error if the user is in pending invite state.
 // This error can be enriched with specific operation by the called using errors.WithAdditionalf
 func (u *User) ErrIfPending() error {
@@ -186,10 +266,40 @@ func (u *User) ErrIfPending() error {
 	return nil
 }

+func (u *User) PatchRoles(targetRoles []string) ([]string, []string) {
+	currentRolesSet := make(map[string]struct{}, len(u.Roles))
+	inputRolesSet := make(map[string]struct{}, len(targetRoles))
+
+	for _, role := range u.Roles {
+		currentRolesSet[role] = struct{}{}
+	}
+	for _, role := range targetRoles {
+		inputRolesSet[role] = struct{}{}
+	}
+
+	// additions: roles present in input but not in current
+	additions := []string{}
+	for _, role := range targetRoles {
+		if _, exists := currentRolesSet[role]; !exists {
+			additions = append(additions, role)
+		}
+	}
+
+	// deletions: roles present in current but not in input
+	deletions := []string{}
+	for _, role := range u.Roles {
+		if _, exists := inputRolesSet[role]; !exists {
+			deletions = append(deletions, role)
+		}
+	}
+
+	return additions, deletions
+}
+
 func NewTraitsFromUser(user *User) map[string]any {
 	return map[string]any{
 		"name":         user.DisplayName,
-		"role":         user.Role,
+		"roles":        user.Roles,
 		"email":        user.Email.String(),
 		"display_name": user.DisplayName,
 		"status":       user.Status,
@@ -215,33 +325,33 @@ func (request *PostableRegisterOrgAndAdmin) UnmarshalJSON(data []byte) error {

 type UserStore interface {
 	// Creates a user.
-	CreateUser(ctx context.Context, user *User) error
+	CreateUser(ctx context.Context, user *StorableUser) error

 	// Get user by id.
-	GetUser(context.Context, valuer.UUID) (*User, error)
+	GetUser(context.Context, valuer.UUID) (*StorableUser, error)

 	// Get user by orgID and id.
-	GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*User, error)
+	GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*StorableUser, error)

 	// Get user by email and orgID.
-	GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*User, error)
+	GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*StorableUser, error)

 	// Get users by email.
-	GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*User, error)
+	GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*StorableUser, error)

-	// Get users by role and org.
-	GetActiveUsersByRoleAndOrgID(ctx context.Context, role Role, orgID valuer.UUID) ([]*User, error)
+	// Get active users by role name and org. join to user_role table.
+	GetActiveUsersByRoleNameAndOrgID(ctx context.Context, roleName string, orgID valuer.UUID) ([]*StorableUser, error)

 	// List users by org.
-	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*User, error)
+	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*StorableUser, error)

 	// List users by email and org ids.
-	ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*User, error)
+	ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*StorableUser, error)

 	// Get users for an org id using emails and statuses
-	GetUsersByEmailsOrgIDAndStatuses(context.Context, valuer.UUID, []string, []string) ([]*User, error)
+	GetUsersByEmailsOrgIDAndStatuses(context.Context, valuer.UUID, []string, []string) ([]*StorableUser, error)

-	UpdateUser(ctx context.Context, orgID valuer.UUID, user *User) error
+	UpdateUser(ctx context.Context, orgID valuer.UUID, user *StorableUser) error
 	DeleteUser(ctx context.Context, orgID string, id string) error
 	SoftDeleteUser(ctx context.Context, orgID string, id string) error

@@ -267,10 +377,10 @@ type UserStore interface {
 	CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error)

 	// Get root user by org.
-	GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*User, error)
+	GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*StorableUser, error)

 	// Get user by reset password token
-	GetUserByResetPasswordToken(ctx context.Context, token string) (*User, error)
+	GetUserByResetPasswordToken(ctx context.Context, token string) (*StorableUser, error)

 	// Transaction
 	RunInTx(ctx context.Context, cb func(ctx context.Context) error) error
Author	SHA1	Message	Date
Karan Balani	ed2adc0346	chore: keep support for role for backward compatibility	2026-03-18 23:44:56 +05:30
Karan Balani	b490ad0921	fix: leftovers	2026-03-18 22:08:24 +05:30
Karan Balani	1960bd5405	feat: introduce user_role table	2026-03-18 20:21:52 +05:30
Karan Balani	3ec91fcc19	fix: types for email and org id in storableuser struct	2026-03-18 02:31:52 +05:30
Karan Balani	53e46a3a2c	chore: use deleted at also in conversions and remove user_role file, will be added in diff pr	2026-03-18 02:10:15 +05:30
Karan Balani	756c3274ff	chore: revert openapi changes, keeping this clean	2026-03-18 01:57:24 +05:30
Karan Balani	05cd026983	chore: update openapi spec	2026-03-18 01:21:15 +05:30
Karan Balani	1770ded9df	refactor: separate db and domain models for user	2026-03-17 22:44:13 +05:30